VPN not working as responder

[abobakrahmed]

Hello ,
have issue with openswan not working as responder execpt initate traffic that's my configuration :

conn my_vpn2
type=tunnel
authby=secret
auto=start
pfs=no
auth=esp
#Phase1#
ike=aes256-sha1;modp1536
phase2alg=aes256-sha1
aggrmode=no
keyexchange=ike
ikelifetime=86400s
#salifetime=28800s
keylife=3600s
#dpddelay=10
#dpdtimeout=20
#dpdaction=restart
#keyingtries=%forever
forceencaps=yes
left=4.4.4.4
leftsubnet=5.5.5.5/32
leftsourceip=4.4.4.4
right=6.6.6.6
rightsubnets={1.1.1.1/32,2.2.2.2/32,3.3.3.3/32}

[shussain]

Hi, what version of OSW rae you using? Can you post the content of ipsec barf?

[abobakrahmed]

Linux Openswan U2.6.43/K4.14.171-105.231.amzn1.x86_64 (netkey)

[letoams]

On Wed, 15 Jul 2020, Abobakr_Ahmed wrote: Linux Openswan U2.6.43/K4.14.171-105.231.amzn1.x86_64 (netkey)

Not sure why a version was asked, other than to punt the problem to "please upgrade". If you have auto=start and the service starts on startup, check the logs for a message on why it fails. grep the logs for "pluto". Paul

[abobakrahmed]

packet from 6.6.6.6:500: ignoring unknown Vendor ID payload [a9b9b1034f7e50a2513b47b100bb85a9]
| find_host_connection2 called from main_inI1_outR1, me=4.4.4.4:500 him=6.6.6.6:500 policy=none
| find_host_pair: comparing to 4.4.4.4:500 6.6.6.6:500
| find_host_pair_conn (find_host_connection2): 4.4.4.4:500 6.6.6.6:500 -> hp:my_vpn2/0x1
| started looking for secret for 4.4.4.4->6.6.6.6 of kind PPK_PSK
| actually looking for secret for 4.4.4.4->6.6.6.6 of kind PPK_PSK

[abobakrahmed]

can destination telnet but when initiate traffic by telnet 1.1.1.1 443

[letoams]

On Wed, 15 Jul 2020, Abobakr_Ahmed wrote: packet from 196.43.201.208:500: ignoring unknown Vendor ID payload [a9b9b1034f7e50a2513b47b100bb85a9] | find_host_connection2 called from main_inI1_outR1, me=4.4.4.4:500 him=6.6.6.6:500 policy=none

This is a responding exchange, so has nothing to do with whether your connection starts on boot or not ? Maybe should more logs and clarify the problem. More likely the connection never works? Paul

[abobakrahmed]

How can get more logs !
works when I start connection by using telnet cmd but when finished this connection , another destination 6.6.6.6 cannot cannot telnet .

[letoams]

The logs will already be there. Check your system on how it handles logs. Eg via /var/log/secure or journalctl etc....

…

Sent from my iPhone

On Jul 15, 2020, at 16:29, Abobakr_Ahmed ***@***.***> wrote:  How can get more logs ! works when I start connection by using telnet cmd but when finished this connection , another destination 6.6.6.6 cannot cannot telnet . — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[abobakrahmed]

ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; force_encaps: yes
000 "my_vpn3/0x1": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,8; interface: eth0;
000 "my_vpn3/0x1": dpd: action:clear; delay:0; timeout:0;
000 "my_vpn3/0x1": newest ISAKMP SA: #0; newest IPsec SA: #9;
000 "my_vpn3/0x1": aliases: my_vpn3
000 "my_vpn3/0x1": IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP1024(2); flags=-strict
000 "my_vpn3/0x1": IKE algorithms found: AES_CBC(7)_256-SHA1(2)_160-MODP1024(2)
000 "my_vpn3/0x1": ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
000 "my_vpn3/0x1": ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000 "my_vpn3/0x1": ESP algorithm newest: AES_256-HMAC_SHA1; pfsgroup=<N/A>

[abobakrahmed]

002 "my_vpn2/0x3" #42: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "my_vpn2/0x3" #42: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf=oakley_sha group=modp1536}
002 "my_vpn2/0x3" #42: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
002 "my_vpn2/0x1" #43: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#42 msgid:c6c1e035 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
002 "my_vpn2/0x2" #44: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#42 msgid:24dbed3f proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
002 "my_vpn2/0x3" #45: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#42 msgid:6d48017b proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "my_vpn2/0x1" #43: STATE_QUICK_I1: initiate
117 "my_vpn2/0x2" #44: STATE_QUICK_I1: initiate
117 "my_vpn2/0x3" #45: STATE_QUICK_I1: initiate
002 "my_vpn2/0x3" #45: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
002 "my_vpn2/0x3" #45: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "my_vpn2/0x3" #45: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xafcd430e <0x40b2edb7 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
002 "my_vpn2/0x1" #43: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
002 "my_vpn2/0x1" #43: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "my_vpn2/0x1" #43: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xf74eead5 <0x9fbf8a5d xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}
002 "my_vpn2/0x2" #44: Dead Peer Detection (RFC 3706): not enabled because peer did not advertise it
002 "my_vpn2/0x2" #44: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "my_vpn2/0x2" #44: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0xdaa8b71b <0x4b555d19 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}

[abobakrahmed]

i know this logs is huge but if can help me with any commends , will be appreciate

[letoams]

So that looks like it came up fine ? Was this from system startup or a manual ipsec auto —up command ? there were some fixes in the subnets= vs subnet= code in libreswan so on openswan perhaps first try with one subnet ?

…

Sent from my iPhone

On Jul 15, 2020, at 22:06, Abobakr_Ahmed ***@***.***> wrote:  i know this logs is huge but if can help me with any commends , will be appreciate — You are receiving this because you commented. Reply to this email directly, view it on GitHub, or unsubscribe.

[abobakrahmed]

ipsec whack --initiate --name my_vpn2
ipsec whack --status
ipsec auto --status

[deef2020]

Please help me, there was no response when I entered IPSec auto -- up